Government publishes long-awaited draft ecommerce bill

Will the etrade bill help or hinder you online?

The three-year row over who controls cryptography in the UK has taken a fresh twist with the draft publication of the government's Electronic Communications Bill (see Newswire 29 July).

The bill will let businesses and individuals safely trade online with a framework for the provision of public encrypted services. Companies who provide cryptographic services will also be regulated, which means that they must meet minimum standards for the customer. At least, that's the theory.

While the bill provides a potential ecommerce framework, in its present form this framework could strangle ecommerce in the UK.

The bill gives ministers broad powers to control the use of encryption, and allows the police and law enforcement community to tap data transmissions. The consequences for IT managers could be unpleasant.

If the bill remains unchanged, UK firms might get an ecommerce framework ignored by the rest of the world, and lose business to rivals in countries with more flexible frameworks. Changes are likely to result in further delays to final legislation, as politicians argue over the bill's contents in Parliament.

(Links to the bill, responses to previous consultations, the Trade and Industry Select Committee report, and supporting materials can be found at www.fipr.org/)

“The tone of the bill, with its concentration on legal liability and the prevalence of statutory instruments, may not help fulfil the government's aim of making Britain the best environment in the world to trade electronically,” says Richard Sullivan, policy manager at the Computing Services and Software Association.

Civil servants have been trying to stake a claim in cyberspace since the mid 1990s by advocating legislation to restrict the use of cryptography on the Internet. The Conservatives proposed compulsory licensing of services while in government, but recanted in opposition. Labour opposed controls in opposition, but now has produced a series of proposals for legislation.

The government has decided that licensing of services will be voluntary. This will cover both the encryption mechanisms used to provide confidentiality, and the digital signature mechanisms used for authentication.

A key aspect of the bill is use of digital signatures for ecommerce. The Society for Computers and the Law says there are about 40,000 laws and regulations in the UK that require particular business transactions to use 'writing' or a 'signature'.

Previously, special laws had to be passed to permit particular electronic systems to operate, such as the Bank of England's Crest system, which registers share trading electronically. But thousands of businesses are now trying to move online via the Net, which means that there could be legal and regulatory chaos if the same procedure were followed.

Other countries already accept digital signatures, and UK industry hoped that the bill would permit these to be used wherever existing laws or regulations referred to the need for something in writing. Instead, it stops short of a sweeping recognition of digital signatures, and only gives ministers the power to make regulations for the industries in their area.

There are two further problems: there is no deadline by which existing laws must be updated to accommodate digital signatures, and there appears to be no central co-ordination. So while the bill eases the use of digital signatures, their adoption could take some time. Until the relevant department gives its approval to digital signatures, their legal situation remains uncertain.

There is also controversy over the powers given to the law enforcement community. Police and intelligence services claim widespread use of encryption could interfere with their operations. The bill gives authorities the power to require decryption of encrypted data. This is part of the police's strategy to extend existing powers of interception of communications from postal and phone services to data communications.

Should the police succeed, IT departments may face unnecessary cost and inconvenience. Regulations are expected to state that all encryption keys must be kept centrally, in case they are required by the police or staff with security clearance.

If keys are lost, if staff fail to comply or if anyone learns that a wiretap is in progress, prosecution could follow. Then there is the cost of changing keys after an investigation.

Another concern is that the bill will give ministers and officials broad powers to interfere in the digital economy. First, the bill proposes the creation of a kitemark which would be adopted by companies who sell security services. The kitemark would, in theory, boost customer confidence by attaching minimum conditions of quality.

However, a kitemark may prove lengthy to create and administer, and many companies may be unwilling to spend time attaining the mark. “Electronic businesses can trade from anywhere in the world. Threatening a mountain of red tape will cause ebusiness to move to places with a more supportive climate such as Ireland or Canada,” says Caspar Bowden, director of the Foundation for Information Policy Research.

Second, ministers and civil servants also have powers under the bill to tamper with the future digital economy. They will be able to make future ecommerce regulations without Parliamentary debate – an established process called secondary legislation or statutory instruments. This means we will not know what to expect from the government until after the bill is made law and the regulations finally published.

There are two opinions on what the bill means for companies. Some say it will have little impact on the growing digital economy, because with about five per cent of the world software market, the UK has little influence. So industry standards over encryption and digital signatures will continue to be set by whatever products succeed in the US marketplace, and UK regulations will have to follow. Optimists also hope that the bill will bring the long-running debate over encryption policy to an end.

The Department of Trade and Industry (DTI) is the department responsible for the bill. One ex minister, who wished to remain anonymous, said part of the bill's objective was to satisfy the law enforcement community's growing interest in use of encryption for ecommerce. “All the DTI wants is to get the Home Office off its back on this issue,” he said.

However, the bill could also see a second possible outcome: the twin effects of statutory powers and the vague status of digital signatures means that the government could cause all sorts of practical problems during the implementation of a national infrastructure for ecommerce.

DTI officials said they will favour large organisations to provide cryptography services, known as certification authorities (CAs) or trusted third-parties. But not only is this unfair to suppliers – favouring BT over a small but more entrepreneurial Internet service provider, for example – but it will also limit the number of CAs and trusted third-parties available for companies to choose from.

Another practical problem will be the management of cryptographic keys if the final legislation demands that a company's keys are held centrally. This could be expensive for distributed companies and those whose staff are managed locally, such as banks, retailers and even the government.

The law enforcement community favours accessing information from a single point in large organisations, instead of dealing with local or branch managers. In a separate initiative, intelligence agency GCHQ is pushing for a single key management centre for the NHS rather than allowing hospitals and surgeries to manage their own keys.

The question of which standards are adopted for a kitemark is also likely to be a thorny issue, as civil servants have a poor track record in this area. NHS civil servants opted for a legacy messaging protocol, X.400, to send messages across the growing NHSnet network, at a time when the rest of the IT community embraced simple mail transfer protocol. Giving civil servants the power to set another category of standards could be risky.

Another potential problem is the bill's structure. The term 'electronic signature' has different meanings within the bill, and it's unclear under what circumstances digital signatures could be submitted as evidence in a dispute.

'The bill makes electronic signatures admissible in evidence if they are contained in messages, but not if they are only contained in electronic documents.

“This is bizarre,” says Nick Bohm, member of the ecommerce working party at the Law Society.

The bill's apparent confused structure was one reason why the Conservatives refused to allow it to be pushed quickly through Parliament. Alan Duncan, shadow trade and industry spokesman, says the bill is a mess. “We need a simple three-page bill, not a 30-page bill,” he says.

Jeremy Hilton, cofounder of business to business ecommerce forum the International Commerce Exchange (ICX) says politicians should separate the interception of communications elements from the bill.

He says that the proposals for the extension of tapping are unpopular, and the government is trying to hide them in the bill, rather than extend existing laws which cover the interception of post and telephone traffic.

Poor definition and fighting over extension of police powers are likely to produce more political fighting in Parliament and further delay the final creation of an ecommerce framework. The industry is concerned that the UK will slip further behind economic rivals such as Ireland, Canada and Australia, who are already establishing flexible frameworks for ecommerce.

Microsoft UK chairman David Svendsen says the bill is a 'golden opportunity' for the UK to finally become an ecommerce hub in Europe.

So, after three years of fighting, we finally have a draft ecommerce bill – but it is far from perfect. The bill enables ministers to control cryptography, gives police the power to snoop on data, and is likely to widen the gap between the UK and its economic rivals on the ecommerce superhighway.

We have until 8 October to submit comments on the bill, although cynics suggest that the bill's most objectionable conditions have been inserted as a ploy, and will be removed in the final text. This undermines opposition and sidelines all but the core of diehard critics. Until then, IT managers are likely to press on with ecommerce strategies in the hope that something gets sorted out.

(See Computing for more stories and analysis)